SHARE

WordPress users beware! a popular WordPress Plugin being used in many of the WordPress sites have been found to have a dangerous backdoor. It can reportedly steal the credentials of the site’s admin. The particular plugin has the ability to install a backdoor that could alter the core of the WordPress files and steal the data. The malicious activities were first spotted by website security company, Sucuri. One of their clients reported of a strange file called auto-update.php that was created after a recent plugin update.

Wordpress

Have you got the faintest idea of the WordPress Plugin yet? It is none other than Custom Content Type Manager (CCTM), which has amassed a large number of users in the past few months. It helps users in creating custom post types. It has been installed on more than 10,000 sites. In the last few weeks, the plugin looked like it was going to an inevitable end. But suddenly, the owner changed and a new version was pushed out.

Two files included in the update was of malicious nature. The file named auto-update.php let the attackers download files on the infected website from a remote server. Another file, CCTM_Communicator.php worked along with another old file and was performing dangerous operations too. The plugin can also track the recorded usernames and passwords of other users.

The new owner, dubbed wooranker, pushed the update to some of the users of the plugin automatically. He first tried to log into the infected sites manually, but some users had created custom links which prevented him from getting in. Then he used the auto-update.php backdoor which created a backdoor that altered the core files.

The backdoor always allowed wooranker to have an admin account with all the rights in all the infected websites. This meant that he had access to all the usernames and passwords before they are encrypted. Now for the most important question, Who is wooranker? Wooranker had his analytics code published, and all the infections were being reported to donutjs.com domain. This domain was registered under the name of Vishnudath Mangilipudi, a developer from Andhra Pradesh, India.